Good morning and welcome to today's brief. Well, things sure have gotten crazy since the last brief. Not that it's helped that I haven't been able to get a brief written up until now, so there were a ton of articles to read through to write this one up. A good chunk of today's brief covers Zoom, which is in the headlines for all the bad reasons, also covering threats to your SQL servers, a bunch of bugs to be aware of, some data breaches and leaks that have happened, and some posts from the community to share!

Zoom Zoom

Oh boy, this is a doozy. I've been saving up so many articles on the whole Zoom situation that could cover a full brief on their own! There are some duplicates, but with this, I don't think a different perspective will hurt. Let's dive into this! I'll shorten all the links for this just to help with the wall of text that's inbound.

Starting off, today Zoom Video Communications​ announced a freeze on new features for 90 days while they reorganize to deal with the rush of security issues that have been found (1). There will also be transparency reports in the near future regarding requests for day from law enforcement and government agencies as well as enhance their bug bounty program. Lastly, the CEO will be on weekly webinar to discuss privacy and security updates. I hope these initiatives will help Zoom, as everything I've seen in the last week shows something big needs to happen (2).

First, it started with an iOS bug that sharing info to Facebook (3) through the Facebook SDK. No mention I've seen if this was intentional or not, but the SDK has been removed to resolve that. Then we got into Zoom-bombing (4), which has taken off to a huge degree due to some security snafus. There is even a tool, called zWarDial (5) to brute force into meetings (also, don't share invites publicly, just no). Then there have been issues with the Windows client (6) by turning UNC paths into links, or to run programs (7). Then a macOS installer issued that installed the Zoom app without final user consent (8). Another bug was also also fixed for macOS (9) that could allow malicious code access to the mic and camera without the user knowing. Then we move into the data leaks, as it was recently found that with data mining (10), Zoom was able to ID users, even anonymous, to a LinkedIn profile (11). This has been disabled. Then, it was found Zoom would automatically add users into a Corporate Directory if they shared the same domain. Which is good for companies... but when personal emails are involved (12), that's not a great thing to have happen. With all this going on, there has been a lot of pressure regarding security with Zoom, so it's good to know what Zoom [currently] classifies as end-to-end encryption, as many have reported it isn't what they expected (13). Suffice it to say, it's good Zoom is dedicating their engineers to security right now. Especially when even attackers are taking advantage and pushing Zoom malware (14).

Hide Yo SQL

If you don't have strong admin credentials on your SQL servers, there is a good chance you have or will deal with Vollgar, the Vollar cryptocurrency miner. Going on 2 years now, it has been using brute force techniques to get into SQL servers and mine crypto. The good news is that more than 60% of the servers are only part of the botnet for 2 days, but 20% remain infected for longer and even 10% get reinfected. The good news is that there is a Github repo that has scripts to help detect backdoors and accounts so you can properly clear them up.

Now this is an interesting one I came across. It is a situation where a company received in the mail a fake BestBuy gift card and a USB containing a "list of all the items they could buy", but in reality, it was a USB that would impersonate a keyboard and send commands to the computer. This one would run Powershell commands to download a Powershell script to install malware. The malware that would be installed is new, it hasn't not been seen before, but it was uploaded to VirusTotal not too long after this situation. So be careful out there.

Channeling a little Dave the Barbarian there for that title. iOS has a [currently] unpatched bug in versions 13.3.1 or older that can lead to VPN connections not fully enclosing all traffic, leading to data leakage as a user unknowingly visits websites thinking they are safe. If there are any active connections before a VPN connection is established, anything new will be safe, but anything before won't be protected. This isn't just for web browsers, but anything with a connection on the device, including apps and services that connect out. Until fixed, either setup Always-on VPN, or toggle airplane mode once the VPN is connected (it's noted that this isn't 100% effective).

If you support CODESYS and you're running the web server for it, you'll want to update to version
3.5.15.40 as soon as you can as older versions have a buffer overflow bug that could allow for DoS, crash the server, allow for remote code execution or something else unexpected. There is a proof-of-concept, but no mention of active attacks.

If you've used Firefox and Twitter on a public or shared computer, be aware that there was an issue with this combination that allowed Firefox to cache private media sent via DM or downloaded an account archive. By default, Firefox clear the cache once a week, but if you have used Twitter in a public computer, you may want to consider that the media you had could have been accessed.

2 plugins for Wordpress​ have been recently found to cause headaches to web admins and site owners all over. The first is with Rank Math which helps with SEO, and also allowing a regular user to grant themselves as an admin and revoke other admins from their permissions! That's some strong SEO right there! The second is with Contact Form 7 Datepicker, which is an unsupported plugin and has a XSS vulnerability that can also allow someone to get admin access. If your site has this, remove it NOW!

The first one for this is with Key Ring Cloud, which is a digital wallet and is used to store debit, credit or loyalty cards to make it easier for them to use. The problem is there was a misconfiguration of a cloud databases that exposed the data of 44 million items, included full credit card details, IDs and even medial insurance cards. This isn't from just 1 database, but 5! This was discovered in February and Key Ring secured the databases 2 days after, but never responded to the team that found this. You may want to consider if you want to stay with Key Ring if you're using them currently. Key Ring didn't respond for the article either.

Marriott has reported a breach regarding the data of about 5.2 million guests. This was discovered at the end of February when the credentials of two employees were compromised. Account info is believed to have been exposed, but not card info or credentials.

GoDaddy was also a victim of this type of attack recently as well, as a customer service rep was phished an someone was able to access several customer records and even changed the DNS records for escrow.com. That's also an oopsie.

It's been a while, so to wrap up today, let's cover some posts in the community! First up is by RoyalBlueTeam which shared some info regarding AlienVault Open Threat Exchange (OTX)​ which collects URLs, and in the case of Zoom, the URLs reveal the meeting ID. Something to be aware of with OTX.

Brianinca​ also shared about the new DNS filtering that CloudFlare CloudFlare​ is offering for families, as well as details of an audit that CloudFlare went through. There were some findings, but the summary is that supports their public statements for privacy. I recommend you review the details of this so you can make your own decision if you want to use CloudFlare.

BuckyIT​ shared a post over the weekend on what he's dealing with in our crazy times with this virus and how he's handling supporting his business' needs. It's a great read and has some good info to consider!

Lastly, b0rt​ is looking for suggestions on how to perform forensics with USB devices and blocking write access to facilitate that (which is critical for forensics to prevent breaking the custody chain). Another great post to jump into to share your thoughts or to learn from others!

Speaking of Zoom and the complete blind leading the blind, this happened to me today, I warned a veterans' group that hosts a weekly Zoom meeting to "be careful" -

Text

B and C,
FYI, there are several cybersecurity concerns about Zoom Meetings that people should be aware of, including the ability to potentially have Microsoft Windows account credentials stolen:
https://www.itpro.co.uk/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
https://www.businessinsider.com/zoom-ceo-sorry-privacy-security-2020-4
Just be careful out there and do not take Zoom for granted that it is 100% secure, because it is not, at least not yet.
Very respectfully,
- Mike

Pretty straight forward, just "watch out". I got this in response:

Text

I just spoke to my boyfriend who is an IT specialist for a large company and they use ZOOM for all their meetings. What I was told is it is just as secure as any platform out their. When a meeting is started if everyone is confirmed to have a purpose in that meeting then it is good. Unfortunately in this crazy world we are living in with all having to work from home there will always be that question of security in conducting virtual meetings.

Oh, really? I guess I was put in my place by her boyfriend c-blocking me ("c" standing for "cyber" lol), so, I just let it drop. For those who don't know me, that's dripping with sarcasm ;) Without further, adieu, my response:

Text

C,
I've been a system administrator since the early 90s and a cybersecurity analyst going back to 2000 when I was the Computer Emergency Response Team
(CERT) Chief for the Massachusetts Army National Guard. I am only pointing out that there are some VERY serious issues with Zoom that only recently came to light, as in the past week or two, including some that were announced just yesterday, that people need to be aware of and not to take it for granted just because it's free and it's popular. Even the CEO and founder of Zoom admits it has a lot of problems that need to be corrected.
There are many companies and schools that are outright banning the use of it because of security and privacy issues. I know this group as a whole is kinda stuck as everyone does not work for the same organization, it is a solution that fits the need. I'm not saying "don't use it", I'm just saying "be aware".
Very respectfully,
- Mike

No response.

B is a good friend of mine and a fellow veteran, Air Force, but still a vet, kinda ;) So he and I get along great even though he's old enough to be my father. For the veterans, "get along great" means we bust each others chops all.the.time - it's a requirement lol. So, am I smug? Sure, this wasn't my first rodeo by any means.

Edit: fixed my typo that was pointing out Jimmy T.​'s typo LOL. That's what happens when you haven't had your coffee

SNAFU, where Zoom is concerned. Even knowing all of this, Uncle Sam still has Zoom going full force between members. I'm sure there are no confidential materials being discussed, and I'm also sure this is all being done on the unclassified network. But still. Your own people are telling you NOT to use Zoom, but you do anyway. :) Also worth noting, I mentioned the Zoom badness to my son. Typical response, and I should have expected it, "but all my classes are using it." <facepalm>

Zooming into the distance. Our deep thinkers have finally consulted our Data Protection Officer, and it is no longer an option, we will continue with Google Meet. I fanned the flames from time to time Muuwuuhahahaha, Zoom has always been a pain for Mac admins...

although, hate to be that guy... but i find it ironic about all this info regarding data blah blah blah... then theres a link to a discord group. That is one app i do not trust after reading their terms of service... not too mention all the shady crap you can find on there.

although, hate to be that guy... but i find it ironic about all this info regarding data blah blah blah... then theres a link to a discord group. That is one app i do not trust after reading their terms of service... not too mention all the shady crap you can find on there.

That's a good point CarlosTech​. I've come across a few things, but I haven't seen anything that has driven me away. The main reason I share it is because that Discord is where a lot of Spiceheads are. I used to share my Twitter link, but I don't have time to maintain that, so I'd at least direct anyone interested in a place that is active. It's a choice to go, no one has to.

Also, as for the shady stuff in Discord... well, you can only do so much about that. There is a ton of shady stuff on Reddit, but people still visit. Not all servers are the same.

although, hate to be that guy... but i find it ironic about all this info regarding data blah blah blah... then theres a link to a discord group. That is one app i do not trust after reading their terms of service... not too mention all the shady crap you can find on there.

That's a good point CarlosTech​. I've come across a few things, but I haven't seen anything that has driven me away. The main reason I share it is because that Discord is where a lot of Spiceheads are. I used to share my Twitter link, but I don't have time to maintain that, so I'd at least direct anyone interested in a place that is active. It's a choice to go, no one has to.

Also, as for the shady stuff in Discord... well, you can only do so much about that. There is a ton of shady stuff on Reddit, but people still visit. Not all servers are the same.

I understand ... it s a easy global means to manage and use... and like you say... most of these social platforms have shady stuff... that can't be helped.

just gave me a little giggle... only because i came accross a guy at work on some shady server on discord (fraud related) and i was like... you know discord record the computer name, network details and anything you type or interact with... he quickly uninstalled it (well i blocked it for extra measure.)

I think too much fear mongering and media creating FUD overshadows the work that Zoom is doing to protect the end users. Don't get me wrong, there a lot of other products out there to use, but when we scare everyone anyway from the one tool that works and with some tweaks in the application, it's safe and secure to use. Nothing is 100% secure, we just adjust our risk and mitigate to protect our networks, data and people.

Here is a great comment from a leader in cybersecurity, Dave Kennedy (this was part of a much larger tweet, but this hits on it well)

Zoom has fixed the problems that have arisen and will continue to do so. (just make sure you're checking for updates) No point in kicking a horse when it's down, when we need it to ride cross country. Sure you can find another horse and ride that one instead, but remember: not everyone is as skilled as riding a horse as you are.

I think too much fear mongering and media creating FUD overshadows the work that Zoom is doing to protect the end users. Don't get me wrong, there a lot of other products out there to use, but when we scare everyone anyway from the one tool that works and with some tweaks in the application, it's safe and secure to use. Nothing is 100% secure, we just adjust our risk and mitigate to protect our networks, data and people.

Here is a great comment from a leader in cybersecurity, Dave Kennedy (this was part of a much larger tweet, but this hits on it well)

Zoom has fixed the problems that have arisen and will continue to do so. (just make sure you're checking for updates) No point in kicking a horse when it's down, when we need it to ride cross country. Sure you can find another horse and ride that one instead, but remember: not everyone is as skilled as riding a horse as you are.

Agreed fully there James (KnowBe4)​. What's unique is that all this has happened in a short amount of time. From what I've seen, all the bugs and issues that have come up have been fixed and have dedicated their time now to fix things. Another part of this is people doing things they shouldn't. Why someone would think sending a high profile meeting on social media was a good idea is beyond me.

I agree...I think it comes down to "they didn't think anyone would notice" or forgot the whole world can see the notice. I belong to a security group and we did a meet up on Zoom last Friday. One of the guys put the zoom link on the twitter feed for the group to see. 15 minutes into the meeting BOOM! - we were hit with Zoombombers. Literary jumped on saying all kinds of nasty stuff to the people on the call etc. Ironically, there was a password, but it was integrated with the link. Lesson learned there.

No
BadUSB on the voting list? I guess I have to do a write in campaign.

I always find crafted USB devices interesting, and I've been toying with the idea of remaking a keyboard into ... something...just don't know what yet. A USB stick that ran powershell scripts would have a lot of good and use in my location.

I think too much fear mongering and media creating FUD overshadows the work that Zoom is doing to protect the end users. Don't get me wrong, there a lot of other products out there to use, but when we scare everyone anyway from the one tool that works and with some tweaks in the application, it's safe and secure to use. Nothing is 100% secure, we just adjust our risk and mitigate to protect our networks, data and people.

Here is a great comment from a leader in cybersecurity, Dave Kennedy (this was part of a much larger tweet, but this hits on it well)

Zoom has fixed the problems that have arisen and will continue to do so. (just make sure you're checking for updates) No point in kicking a horse when it's down, when we need it to ride cross country. Sure you can find another horse and ride that one instead, but remember: not everyone is as skilled as riding a horse as you are.

Agreed fully there James (KnowBe4)​. What's unique is that all this has happened in a short amount of time. From what I've seen, all the bugs and issues that have come up have been fixed and have dedicated their time now to fix things. Another part of this is people doing things they shouldn't. Why someone would think sending a high profile meeting on social media was a good idea is beyond me.

Because, well, users! Don't forget, they are the ones that keep us employed, even though we bang our heads against the wall because of them - lol

SNAFU, where Zoom is concerned. Even knowing all of this, Uncle Sam still has Zoom going full force between members. I'm sure there are no confidential materials being discussed, and I'm also sure this is all being done on the unclassified network. But still. Your own people are telling you NOT to use Zoom, but you do anyway. :) Also worth noting, I mentioned the Zoom badness to my son. Typical response, and I should have expected it, "but all my classes are using it." <facepalm>

I am amazed and dismayed by the piling on I see with Zoom's issues. This was a relatively small & not particularly well known company until the Corona virus sent everyone searching for cheap, or even free, remote tools. Nothing they have been accused of is any different from every single other company out there, and they have done a much better job of responding to security & privacy concerns than almost any larger, older company I can think of. Zoom has issued a fix and statement for every perceived information leak or security bug, and in a very timely manner. Now go read the rest of this SOC Brief, and how many products are being patched years after they have been released. Personally I will continue to use Zoom, and encourage others to do so. Just don't publish your invites on social media people! Duh!